everyone. I am developing a NDIS 6 filter driver (LWF). the NdisFRegisterFilterDriver call in the DriverEntry routine failed with NDIS_STATUS_FAILURE. This only happens to Win8 x86, the driver can normally run under Win7 x86. It is so strange. I have seen this thread but no use:
Why does NdisFRegisterFilterDriver return NDIS_STATUS_FAILURE?
Here's my DriverEntry routine and the inf file.
_Use_decl_annotations_
NTSTATUS
DriverEntry(
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NDIS_FILTER_DRIVER_CHARACTERISTICS FChars;
NTSTATUS Status = STATUS_SUCCESS;
// NDIS_STRING FriendlyName = NDIS_STRING_CONST("WinPcap NDIS LightWeight Filter");
// NDIS_STRING UniqueName = NDIS_STRING_CONST("{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"); //unique name, quid name
// NDIS_STRING ServiceName = NDIS_STRING_CONST("npf6x"); //this to match the service name in the INF
NDIS_STRING FriendlyName = RTL_CONSTANT_STRING(L"WinPcap NDIS LightWeight Filter");
NDIS_STRING UniqueName = RTL_CONSTANT_STRING(L"{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"); //unique name, quid name
NDIS_STRING ServiceName = RTL_CONSTANT_STRING(L"npf6x"); //this to match the service name in the INF
WCHAR* bindT;
PKEY_VALUE_PARTIAL_INFORMATION tcpBindingsP;
UNICODE_STRING macName;
ULONG OsMajorVersion, OsMinorVersion;
TRACE_ENTER();
UNREFERENCED_PARAMETER(RegistryPath);
FilterDriverObject = DriverObject;
//
// Get OS version and store it in a global variable.
//
// Note: both RtlGetVersion() and PsGetVersion() are documented to always return success.
//
// OsVersion.dwOSVersionInfoSize = sizeof(OsVersion);
// RtlGetVersion(&OsVersion);
//
PsGetVersion(&OsMajorVersion, &OsMinorVersion, NULL, NULL);
TRACE_MESSAGE2(PACKET_DEBUG_INIT, "OS Version: %d.%d\n", OsMajorVersion, OsMinorVersion);
NdisInitUnicodeString(&g_NPF_Prefix, g_NPF_PrefixBuffer);
//
// Get number of CPUs and save it
//
#ifdef NDIS620
g_NCpu = NdisGroupMaxProcessorCount(ALL_PROCESSOR_GROUPS);
#else
g_NCpu = NdisSystemProcessorCount();
#endif
//
// TODO: Most handlers are optional, however, this sample includes them
// all for illustrative purposes. If you do not need a particular
// handler, set it to NULL and NDIS will more efficiently pass the
// operation through on your behalf.
//
//
// Register as a service with NDIS
//
// NdisZeroMemory(&FChars, NDIS_SIZEOF_FILTER_DRIVER_CHARACTERISTICS_REVISION_1);
// FChars.Header.Type = NDIS_OBJECT_TYPE_FILTER_DRIVER_CHARACTERISTICS;
// FChars.Header.Size = NDIS_SIZEOF_FILTER_DRIVER_CHARACTERISTICS_REVISION_1;
// FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_1;
//
// Register as a service with NDIS
//
NdisZeroMemory(&FChars, sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS));
FChars.Header.Type = NDIS_OBJECT_TYPE_FILTER_DRIVER_CHARACTERISTICS;
FChars.Header.Size = sizeof(NDIS_FILTER_DRIVER_CHARACTERISTICS);
#if NDIS_SUPPORT_NDIS61
FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_2;
#else
FChars.Header.Revision = NDIS_FILTER_CHARACTERISTICS_REVISION_1;
#endif
FChars.MajorNdisVersion = NDIS_FILTER_MAJOR_VERSION;
FChars.MinorNdisVersion = NDIS_FILTER_MINOR_VERSION;
FChars.MajorDriverVersion = 1;
FChars.MinorDriverVersion = 0;
FChars.Flags = 0;
FChars.FriendlyName = FriendlyName;
FChars.UniqueName = UniqueName;
FChars.ServiceName = ServiceName;
FChars.SetOptionsHandler = NPF_RegisterOptions;
FChars.AttachHandler = NPF_Attach;
FChars.DetachHandler = NPF_Detach;
FChars.RestartHandler = NPF_Restart;
FChars.PauseHandler = NPF_Pause;
FChars.SetFilterModuleOptionsHandler = NPF_SetModuleOptions;
FChars.OidRequestHandler = NPF_OidRequest;
FChars.OidRequestCompleteHandler = NPF_OidRequestComplete;
FChars.CancelOidRequestHandler = NPF_CancelOidRequest;
FChars.SendNetBufferListsHandler = NPF_SendEx;
FChars.ReturnNetBufferListsHandler = NPF_ReturnEx;
FChars.SendNetBufferListsCompleteHandler = NPF_SendCompleteEx;
FChars.ReceiveNetBufferListsHandler = NPF_TapEx;
FChars.DevicePnPEventNotifyHandler = NPF_DevicePnPEventNotify;
FChars.NetPnPEventHandler = NPF_NetPnPEvent;
FChars.StatusHandler = NPF_Status;
FChars.CancelSendNetBufferListsHandler = NPF_CancelSendNetBufferLists;
DriverObject->DriverUnload = NPF_Unload;
//
// Initialize spin locks
//
//NdisAllocateSpinLock(&FilterListLock);
//InitializeListHead(&FilterModuleList);
//
// Standard device driver entry points stuff.
//
DriverObject->MajorFunction[IRP_MJ_CREATE] = NPF_OpenAdapter;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = NPF_CloseAdapter;
DriverObject->MajorFunction[IRP_MJ_CLEANUP] = NPF_Cleanup;
DriverObject->MajorFunction[IRP_MJ_READ] = NPF_Read;
DriverObject->MajorFunction[IRP_MJ_WRITE] = NPF_Write;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = NPF_IoControl;
bindP = getAdaptersList();
if (bindP == NULL)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "Adapters not found in the registry, try to copy the bindings of TCP-IP.");
tcpBindingsP = getTcpBindings();
if (tcpBindingsP == NULL)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "TCP-IP not found, quitting.");
goto RegistryError;
}
bindP = (WCHAR *)tcpBindingsP;
bindT = (WCHAR *)(tcpBindingsP->Data);
}
else
{
bindT = bindP;
}
for (; *bindT != UNICODE_NULL; bindT += (macName.Length + sizeof(UNICODE_NULL)) / sizeof(WCHAR))
{
RtlInitUnicodeString(&macName, bindT);
NPF_CreateDevice(DriverObject, &macName);
}
Status = NdisFRegisterFilterDriver(DriverObject,
(NDIS_HANDLE) FilterDriverObject,
&FChars,
&FilterDriverHandle);
if (Status != NDIS_STATUS_SUCCESS)
{
TRACE_MESSAGE(PACKET_DEBUG_INIT, "Failed to register filter with NDIS.");
TRACE_EXIT();
return Status;
}
TRACE_EXIT();
return STATUS_SUCCESS;
RegistryError :
Status = STATUS_UNSUCCESSFUL;
TRACE_EXIT();
return(Status);
}
inf file:
;-------------------------------------------------------------------------
; NPF6X.INF -- NPF NDIS 6.x LightWeight Filter Driver
;
; Copyright (c) 2013, InSecure.Com, LLC. All rights reserved.
;------------------------------------------------------------------------
[version]
Signature = "$Windows NT$"
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
CatalogFile = npf6x.cat
Provider = %Insecure%
DriverVer=08/18/2013,0.31.43.389
[Manufacturer]
%Insecure%=Insecure,NTx86,NTia64,NTamd64
[Insecure.NTx86]
%NPF6x_Desc%=Install, INSECURE_NPF6X
[Insecure.NTia64]
%NPF6x_Desc%=Install, INSECURE_NPF6X
[Insecure.NTamd64]
%NPF6x_Desc%=Install, INSECURE_NPF6X
;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000
NetCfgInstanceId="{5cbf81bd-5055-47cd-9055-a76b2b4e2637}"
Copyfiles = npf6x.copyfiles.sys
[SourceDisksNames]
1=%NPF6x_Desc%,"",,
[SourceDisksFiles]
npf6x.sys=1
[DestinationDirs]
DefaultDestDir=12
npf6x.copyfiles.sys=12
[npf6x.copyfiles.sys]
npf6x.sys,,,2
;-------------------------------------------------------------------------
; Ndi installation support
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR, Ndi,Service,,"npf6x"
HKR, Ndi,CoServices,0x00010000,"npf6x"
HKR, Ndi,HelpText,,%NPF6X_HelpText%
HKR, Ndi,FilterClass,, compression
; For a Monitoring filter, use this:
; HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
; For a Modifying filter, use this:
; HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
HKR, Ndi,FilterType,0x00010001,2
HKR, Ndi\Interfaces,UpperRange,,"noupper"
HKR, Ndi\Interfaces,LowerRange,,"nolower"
; TODO: Ensure that the list of media types below is correct. Typically,
; filters include "ethernet". Filters may also include "ppip" to include
; native WWAN stacks, but you must be prepared to handle the packet framing.
; Possible values are listed on MSDN, but common values include:
; ethernet, wan, ppip, wlan
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip, wlan"
; For a Mandatory filter, use this:
; HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
; For an Optional filter, use this:
; HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
HKR, Ndi,FilterRunType,0x00010001, 2 ; Optional filter
; By default, Mandatory filters unbind all protocols when they are
; installed/uninstalled, while Optional filters merely pause the stack. If you
; would like to override this behavior, you can include these options. These
; options only take effect with 6.30 filters on Windows "8" or later.
; To prevent a full unbind, and merely pause/restart protocols:
; HKR, Ndi,UnbindOnAttach,0x00010001, 0 ; Do not unbind during FilterAttach
; HKR, Ndi,UnbindOnDetach,0x00010001, 0 ; Do not unbind during FilterDetach
; To force a full unbind/bind (which includes pause/restart, of course):
; HKR, Ndi,UnbindOnAttach,0x00010001, 1 ; Unbind during FilterAttach
; HKR, Ndi,UnbindOnDetach,0x00010001, 1 ; Unbind during FilterDetach
;
;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[Install.Services]
AddService=npf,,NPF6X_Service_Inst
[NPF6X_Service_Inst]
DisplayName = %NPF6x_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 3 ;SERVICE_DEMAND_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\npf6x.sys
LoadOrderGroup = NDIS
Description = %NPF6x_Desc%
[Install.Remove.Services]
DelService=npf,0x200 ; SPSVCINST_STOPSERVICE
[NdisImPlatformBindingOptions.reg]
; By default, when an LBFO team or Bridge is created, all filters will be
; unbound from the underlying members and bound to the TNic(s). This keyword
; allows a component to opt out of the default behavior
; To prevent binding this filter to the TNic(s):
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
; To prevent unbinding this filter from underlying members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
; To prevent both binding to TNic and unbinding from members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or unbind from Members
HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior
[Strings]
Insecure = "Nmap Project"
NPF6X_Desc = "WinPcap Lightweight Filter Driver (NPF)"
NPF6X_HelpText = "A NDIS 6 kernel filter driver to support packet capturing under Windows 7 & Windows 8"
https://stackoverflow.com/questions/18352982
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian